Create a new function, get_random_bytes_arch() which will use thearchitecture-specific hardware random number generator if it ispresent. Change get_random_bytes() to not use the HW RNG, even if itis avaiable.

The reason for this is that the hw random number generator is fast (ifit is present), but it requires that we trust the hardwaremanufacturer to have not put in a back door. (For example, anincreasing counter encrypted by an AES key known to the NSA.)

It's unlikely that Intel (for example) was paid off by the USGovernment to do this, but it's impossible for them to prove otherwise--- especially since Bull Mountain is documented to use AES as awhitener. Hence, the output of an evil, trojan-horse version ofRDRAND is statistically indistinguishable from an RDRAND implementedto the specifications claimed by Intel. Short of using a tunnellingelectronic microscope to reverse engineer an Ivy Bridge chip anddisassembling and analyzing the CPU microcode, there's no way for usto tell for sure.

Since users of get_random_bytes() in the Linux kernel need to be ableto support hardware systems where the HW RNG is not present, mosttime-sensitive users of this interface have already created their owncryptographic RNG interface which uses get_random_bytes() as a seed.So it's much better to use the HW RNG to improve the existing randomnumber generator, by mixing in any entropy returned by the HW RNG into/dev/random's entropy pool, but to always _use_ /dev/random's entropypool.

This way we get almost of the benefits of the HW RNG without anypotential liabilities. The only benefits we forgo is thespeed/performance enhancements --- and generic kernel code can'tdepend on depend on get_random_bytes() having the speed of a HW RNGanyway.

For those places that really want access to the arch-specific HW RNG,if it is available, we provide get_random_bytes_arch().

/* * This function is the exported kernel interface. It returns some- * number of good random numbers, suitable for seeding TCP sequence- * numbers, etc.+ * number of good random numbers, suitable for key generation, seeding+ * TCP sequence numbers, etc. It does not use the hw random number+ * generator, if available; use get_random_bytes_arch() for that. */ void get_random_bytes(void *buf, int nbytes) {+ extract_entropy(&nonblocking_pool, buf, nbytes, 0, 0);+}+EXPORT_SYMBOL(get_random_bytes);++/*+ * This function will use the architecture-specific hardware random+ * number generator if it is available. The arch-specific hw RNG will+ * almost certainly be faster than what we can do in software, but it+ * is impossible to verify that it is implemented securely (as+ * opposed, to, say, the AES encryption of a sequence number using a+ * key known by the NSA). So it's useful if we need the speed, but+ * only if we're willing to trust the hardware manufacturer not to+ * have put in a back door.+ */+void get_random_bytes_arch(void *buf, int nbytes)+{ char *p = buf;